Create New Article

Wiki Search

Personal tools

Access Control

From Proprofs

Access Control

You are here: Home > Schools > Comptia > Security+ Certification > Wiki Home > Study Guide

Security+ Study Guide


Table Of Contents


[edit section] Access Control

One of the most crucial areas of information security that dates back to its origins is the idea of access control. Access control is the ability of a system to limit access to only certain users. When you think access control, think “password.” Of course, there are many ways to authenticate users other than passwords, but passwords are probably the most well-known way of controlling access to resources, especially to information security laymen. We’ll now look into the specifics of access control.

[edit section] Types of Access Control Factors

One of the key questions associated with access control is: How do you ensure that a user is in fact who he claims to be? There are many ways to do so, and so they have been categorized into three types of factors.

  • Type I: What you know – Access control methods related to “what you know” include passwords, numeric keys, PIN numbers, secret questions and answers, and so forth. Basically, Type I access control depends on the user knowing something in order to access the information.
  • Type II: What you have – You probably use this access control method every day without realizing it. A physical key is used to open a door to your house through a lock – a form of Type II access control. In information security terms, Type II access control methods may include physical keys or cards, smart cards, and other physical devices that might be used to gain access to something.
  • Type III: What you are – This form of access control is closely related to biometrics or authentication by biological factors. Some high-tech systems may use fingerprints, retinal scans, or even DNA to ensure that a user is who he claims to be. This type of access control is considered the most secure because it requires that a user be physically present whereas the other two can be compromised by theft of a password or a keycard.

The best authentication systems use more than one factor (Type) to ensure a user’s identity; this is known as “multi-factor authentication.”

[edit section] The Workings behind Access Control

There are essentially three steps to any access control process.

1. Identification: Who is the user?

2. Authentication: Is the user who he says he is?

3. Authorization: What does the user have permission to do?

Authentication is achieved through the factors discussed above, but Authorization is actually achieved between the reference model and the Kernel of the operating system. The reference model is the system that directs the Kernel what it can and cannot access. A request to access information would be sent through the reference model to verify that the user requesting access should actually have access to what he is requesting. The kernel then acts only if the reference model directs it to do so.

[edit section] Methods of Access Control

Another very important question that should be raised when considering access control is: “Who determines which users have access to information?” The Security+ exam suggests three different methods of determining this:

  • MAC: Mandatory Access Control is the system in which a central administrator or administration dictates all of the access to information in a network or system. This might be used in high-security applications, such as with the label "top-secret government information". Under MAC, subjects (the user or process requesting access) and objects (the item being requested) are each associated with a set of labels. When a subject requests access to an object, access is granted if labels match, and denied if the labels do not match.
  • DAC: Discretionary Access Control is the system in which the owners of files actually determine who gets access to the information. In this system, a user who creates a sensitive file determines (through his own discretion) who can access that sensitive file. This is considered far less secure than MAC.
  • RBAC: Role-Based Access Control is related to a system in which the roles of users determine their access to files. For example, if Bob is a member of accounting, he should not be able to access the engineering files.

[edit section] A Last Word

Access Control is a very important and highly-tested subject! It is, like CIA, highly conceptual but crucial to understanding information security. It is used to ensure both the confidentiality and the integrity of information and therefore plays a large role in the CIA picture. You should spend time understanding the Types and Methods of access control so that you can ace this portion of the exam.

[edit section] Quick Review

1. On an Active Directory network the group(s) that a user is in determines his access to files. This is a form of:

a. MAC

b. DAC

c. Type II Authentication factor


e. Type I Authentication factor

2. Which of the following is not a possible description of Type III authentication?

a. Something you are

b. Fingerprints

c. Passwords

d. Retinal scans

3. Which of the following is the correct order of the access control process?

a. Identification, Authorization, Authentication

b. Authorization, Identification, Confidentiality

c. Identification, Authentication, Authorization

d. Confidentiality, Integrity, Availability

[edit section] Answers

1. Because the group that the user is in determines his access to files, it is not a far step to say that his role really determines his access to those files. The answer is RBAC. (D)

2. Passwords are Type I (something you know) rather than Type III (something you are), so the answer is C

3. The correct order of the process is C.

<<                              Table Of Contents                               Next Page>>>

Top 5 Contributors to this article

UsersArticle Contributions
Proprofs 7 contribs
Jbrown 4 contribs
Brotherbill 3 contribs
Timwalker 2 contribs
BUbear 2 contribs

Home  |  Site Map  |  Contact
Copyright © 2005-2014 - Privacy & Terms